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Creating a SYN port scanner 


In this chapter we are going to use our knowledge on packets to create our own 
SYN port scanner. 


A very simple port scanner 


Port scanners are tools designed to probe a server for open ports. They are used by 
many people such as administrators or pentesters to check the attack surface of 
their systems and identify networks services running on them. One of the most 
well-known port scanners is nmap. These port scanners typically allow several 
different kind of scanning techniques. The most basic one is the TCP connect scan. 
With this technique the port scanner tries to complete a full TCP three-way 
handshake ( [SYN], [SYN ACK], [ACK] , see Recap on network layers and 
protocols) with the targeted port on the system to scan. The following Python 
script does exactly this: 


import socket 


def scan(host, port): 
s = socket.socket(socket.AF INET, socket.SOCK STREAM) 
try: 
s.connect((host, port) ) 
print("Port open: " + str(port)) 
s.close() 
except: 
print("Port closed: " + str(port)) 


host = "10.10.10.1" 
for port in [21, 22, 80]: 
scan(host, port) 


root@kali:~# python3 simple scanner.py 
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Port closed: 21 
Port closed: 22 
Port open: 80 


In Wireshark we can observe the exact behavior of our simple port scanner: 


"i /ip.addr == 10.10.10.1 BEJ ~| Expression.. + 


No. Time Source Destination Protocol Length Info 
1 0.000000000 10.10.10.2 10.10.10.1 74 48194 — 21 [SYN] Seq=) Win=29200 Len=0 MSS=146 
2 0.000593749 10.10.10.1 10.10.10.2 60 21 48194 (RST, ACK]] Seq=1 Ac 1 Win=0 Len=0 
74 54586 — 22 [SYN] Seq=) Win=29200 Len=0 MSS=146 
5458 [RST ACK AC 1 Wi ) ¢ 


5 0.002454947 10.10.10.2 10.10.10.1 74 60438 — 80 Seq=p Win=29200 Len=0 MSS=146 


6 0.002970971 10.10.10.1 10.10.10.2 TCP 74 80 — 60438 [[SYN, ACK]| Seq=@ Ack=1 Win=28960 Le 
7 0.002995430 10.10.10.2 10.10.10.1 TCP 66 60438 — 80|[ACK] Seq=. Ack=1 Win=29312 Len=0 T 
8 0.003109703 10.10.10.2 10.10.10.1 TCP 66 60438 — 80 [|[FIN, ACK]]| Seq=1 Ack=1 Win=29312 Le 
9 0.003631622 10.10.10.1 10.10.10.2 TCP 66 80 — 60438 , ACK]| Seq=1 Ack=2 Win=29056 Le 
10 0.003646440 10.10.10.2 10.10.10.1 TCP 66 60438 — 80 Seq=P Ack=2 Win=29312 Len=0 T 


We are scanning for the three ports 21, 22 and 80. For the first two ports we see 
that they are closed as we receive a [RST ACK] packet for each of them from the 
server. However, port 80 is open as we completed a TCP three-way handshake as 
well as a normal TCP connection termination initiated by us after that. 


This kind of port scan is even possible if the user does not have the privileges to 
create raw packets on the system as the script asks the underlying operating 
system to establish the connection with the target machine by a connect system 
call. However, this method is quite noisy, and the target machine is very likely to 
log the connection. 


TCP SYN Scan 


A faster and a little bit more stealthy port scan is a SYN scan. This is probably the 
most common technique for port scanners in general. Often also referred to as 
half-open scanning, because you don’t do a full TCP connection. You senda [SYN] 
packet and then wait for the response. A [SYN ACK] indicates that the port is 
open, while a [RST] indicates that it’s closed. In contrast to the connect scan, in 
this method of scanning we do not complete the three-way handshake by sending 
a [ACK] ourselves, but terminate the connection. 


Looking back at an excerpt from the script with which we created a TCP/IP packet, 
what values would we need to change for a port scanner use case? 
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ip header = 
ip header + 
ip header + 
ip header + 
ip header + 


tcp header = 
tcp header += 
tcp header += 
tcp header += 
tcp header += 


b'\x45\x00\x00\x28' 
b'\xab\xcd\x00\x00' 
b'\x40\x06\xa6\xec' 
b'\x0a\x0a\x0a\x02' 
b'\x0a\x0a\x0a\xO1' 


b'\x30\x39\x00\x50' 
b'\x00\x00\x00\x00' 
b'\x00\x00\x00\x00' 
b'\x50\x02\x71\x10' 
b'\xe6\x32\x00\x00' 
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# Version, IHL, Type of Service | Total 
# Identification | Flags, Fragment Offs 
# TTL, Protocol | Header Checksum 

# Source Address 

# Destination Address 


# Source Port | Destination Port 

# Sequence Number 

# Acknowledgement Number 

# Data Offset, Reserved, Flags | Windc 
# Checksum | Urgent Pointer 


The most obvious changes necessary are probably the Destination Address and 
Destination Port. Changing those parameters makes it necessary for us to also 
adjust the Header Checksum and the Checksum from the TCP segment on the fly. 


Let’s put together what our script needs to do: 


. Take our target IP address and port as input 


. Insert them into a blueprint fora [SYN] packet 


. Send the packet 


1 
2 
3. Calculate the new checksums 
4 
5 


. Check the response for [SYN, ACK] , if present: port open, if not: port 


closed 


6. Repeat all steps above (with a different port) 


Congratulations, you are now able to create your own TCP SYN port scanner! In 


order to be a little bit more flexible, a rewrite of the previous scripts should be 


done. The struct Python module helps in working with the binary data. In case you 


want to see how the steps above could look like in code, have a look at the 


following lines. 


import socket 


from struct import * 


import binasc 


class Packet: 


ii 


def init (self, src_ip, dest _ip, dest port): 
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# https://docs.python.org/3.7/library/struct.html#format-charact 
# all values need to be at least one byte long (-> we need to ac 


HHHHHHHHHHHH 

# IP segment 

self.version = 0x4 

self.ihl = 0x5 

self.type of service = 0x0 

self.total_ length = 0x28 
self.identification = Oxabcd 

self.flags = 0x0 

self.fragment offset = 0x0 

self.ttl = 0x40 

self.protocol = 0x6 

self.header checksum = 0x0 

self.src_ip = src ip 

self.dest_ ip = dest ip 

self.src_ addr = socket.inet aton(src_ ip) 
self.dest addr = socket.inet aton(dest ip) 
self.v_ihl = (self.version << 4) + self.ihl 
self.f fo = (self.flags << 13) + self.fragment offset 


HHHHHHHHHHHHH 

# TCP segment 

self.src_ port = 0x3039 

self.dest port = dest port 

self.seq no = 0x0 

self.ack no = 0x0 

self.data offset = 0x5 

self.reserved = 0x0 

self.ns, self.cwr, self.ece, self.urg, self.ack, self.psh, self. 
self.window size = 0x7110 

self.checksum = 0x0 

self.urg pointer = 0x0 

self.data offset res flags = (self.data offset << 12) + (self.re 


HHHHHHHH 

# packet 

self.tcp header = b"" 
self.ip header = b"" 
self.packet = b"" 
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def calc _checksum(self, msg): 


Ss = 0 

for i in range(0, len(msg), 2): 
w = (msg[i] << 8) + msg[i+1] 
S=S+w 

# s = 0x119cc 

s = (s >> 16) + (s & Oxffff) 

# s = 0x19cd 

s = ~s & Oxffff 

# s = 0xe632 

return s 


def generate tmp ip header(self): 
tmp ip header = pack("!BBHHHBBH4s4s", self.v_ihl, self.type of s 
self.identification, self.f_ fc 
self.ttl, self.protocol, self. 
self.src_addr, 
self.dest addr) 
return tmp _ip header 


def generate tmp tcp header(self): 
tmp tcp header = pack("!HHLLHHHH", self.src port, self.dest port 
self.seq_ no, 
self.ack_ no, 
self.data offset res flags, self. 
self.checksum, self.urg pointer) 
return tmp tcp header 


def generate packet(self): 

# IP header + checksum 

final_ip header = pack("!BBHHHBBH4s4s", self.v_ihl, self.type of 
self.identification, sel 
self.ttl, self.protocol, 
self.src_ addr, 
self.dest addr) 

# TCP header + checksum 

tmp tcp header = self.generate tmp tcp header() 

pseudo header = pack("!4s4sBBH", self.src_ addr, self.dest addr, 
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def 


psh = pseudo header + tmp tcp header 


https://inc0Ox0.com/tcp-ip-packets-introduction/tcp-ip-pa... 


final tcp header = pack("!HHLLHHHH", self.src_ port, self.dest_pc 


self.seq_ no, 
self.ack no, 


self.data offset res flags, 
self.calc_checksum(psh), se 


self.ip header = final ip header 
self.tcp header = final tcp header 
self.packet = final _ip header + final tcp header 


send packet(self): 


s = socket.socket(socket.AF INET, socket.SOCK RAW, socket.IPPROT 


s.setsockopt(socket.IPPROTO IP, socket.IP_HDRINCL, 1) 
s.sendto(self.packet, (self.dest ip, 0)) 

data = s.recv(1024) 

s.close() 

return data 


# could work with e.g. struct.unpack() here 

# however, lazy PoC (012 = [SYN ACK]), therefore: 
def check _if open(port, response): 

cont = binascii.hexlify(response) 

if cont[65:68] == b"012": 


for 


print("Port "+str(port)+" is: open") 


else: 


print("Port "+str(port)+" is: closed") 


port in [21, 22, 80, 8080]: 


p = 


Packet("10.10.10.2", "10.10.10.1", port) 


p.generate packet() 
result = p.send_packet() 
check if open(port, result) 


Small exercise: Compare the difference in the packets you get back from your own 
local test server (10.10.10.1), compared to for example the IP address of google.com 
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on port 21 and port 80. How could you improve the upper script? 


Final words 


As you have seen, it’s very much possible to create and send raw packets manually, 
even in high level languages such as Python. However, a more comfortable way of 
working with sockets, packets and networking in general would be Scapy, an 
interactive packet manipulation program for Python. If you are interested in that 
area, I highly recommend you have a look at it. Overall, I hope you did learn a few 
things from this series, and maybe can use that knowledge for example in your next 
fuzzing project, pentest or as a basis for further improvement. 


A word of warning: Use port scanners only on your own systems or servers where 
you have the explicit permission to scan. Depending of the jurisdiction you and/or 
your target system are in, you might get in conflict with the law when performing 
unsolicited port scans. 
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